Detecting DNS Exfiltration

In this day and age, attackers will try to steal information from their targets with whatever method possible. This can be done through a variety of methods, but we are focusing on DNS exfiltration. Data can be intercepted through the DNS as it is not a commonly checked, therefore attackers can set up tunneling methods to have remote access to important assets without alerting any security defences.


In response to this, our group has come up with a way to detect whether DNS exfiltration has occurred based on the queries that was received by our system. Since DNS tunneling encodes data into DNS queries, our program will analyse the queries and generate results based on those queries. We used DNSCat2 for our tunneling tool as it was able to bypass the antivirus BitDefender and the network intrusion detection system SecurityOnion simultaneously without triggering any alerts. Our code will use the .pcap files generated from WireShark for our DNS queries. The results will then be collated into a PDF file to make it readable and safe for the user.



SP Sustainability Matters